The Australian federal police have been hacked after their boasts of a recent hacker bust drew the ire of one angry hacker. (Source: Monsters and Critics)

Yet another example of stunning IT in-security rears its ugly head

Last night an episode of ABC's
Four Corners,
an Australian show looked at a police investigation that was
ferreting out hackers
in the "Land Down Under". On the segment, the police
brazenly boasted of recent hacker arrests. Neil Gaughan,
national manager of the federal police's High Tech Crimes Operation
cheered, "We can operate in a covert activity here fairly
seamlessly with no harm to our members with continual and actual
significant penetration."

Now it appears the joke is on
them, as the Australian federal police have had their systems
hacked.

The story began
last week on Wednesday when police raided the home of an
administrator of underground hacking forum, r00t-y0u.org. The
police seized the admin's computers and apparently got passwords out
of him as well. They then began logging onto the forum and
using it as a honeypot, reaping a wealth of evidence of
wrongdoing.

However, hackers caught wind that something odd
was afoot, since they had heard of the admin's arrest and became
suspicious of how he could be log in to the forum so quickly.
Their suspicions were confirmed when the police posted a taunting
message on the forum stating "all member IP addresses have been
logged" and arrests were being made.

Enraged, some
members of the hacker community broke into the system the police were
using in the investigation and then proceeded to use it to gain
access to both the police evidence and intelligence about federal
police systems. A spokesperson for the police acknowledges the
intrusion stating, "The AFP has identified a person whom [sic]
has attempted to access the stand-alone computer system and we are
currently working with our law enforcement partners regarding this
matter."

On the site Pastebin.com, the hacker mocked the
police for "making it sound like they can bust 'hackers', when
all they have done is busted a COUPLE script kiddies."
They also posted screenshots of fake IDs and stolen credit card
numbers, taken off the police servers as proof of their access.

The
hacker continued to mock the police stating, "I couldn't stop
laughing" on seeing that the federal police's server was running
Windows (which most hackers avoid for security reasons). He also
gloated over the fact that police "left the MYSQL password
blank." The hacker continues, "These dipshits are
using an automatic digital forensics and incident response tool.
All of this [hacking] had been done within 30-40 minutes. Could of
been faster if I didn't stop to laugh so much."

The
hacker reportedly used an attack method called SQL injection.
As the database app was not password protected, he was able to create
a PHP file on the disk, browse through it and gain full access to the
server.

Police claim the files were intentionally placed on
the system and not compromised. They said they place copies of
previously compromised files on a special server for cybercrime
investigations. No charges have been filed yet against
r00t-y0u.org members.

"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer